+---------+
| Root CA |
+---------+
/\
/ \
/ \
/ \
/ \
/ \
/ \
/ \
+-----------+ +-----------+
| Server CA | | Client CA |
+-----------+ +-----------+
Given the above CA hierarchy, how can I configure a (server) SSL_CTX to
accept connections *only* from clients which present a certificate
signed by the Client CA?
As is well documented, I cannot simply trust the Client CA.
SSL_accept() will fail, because it cannot form a certificate chain all
the way to the self-signed Root CA.
I have found, however, that adding the Root CA certificate to the
trusted certificate file/directory causes certificates signed by the
Server CA to be accepted as well. (The client has to present both its
certificate and the Server CA certificate, but it is able to connect.)
So how can I do this? Thanks!
--
========================================================================
Ian Pilcher arequip...@gmail.com
Sometimes there's nothing left to do but crash and burn...or die trying.
========================================================================
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
